使用关键工具制作CSR,如何为tomcat ssl制作证书? [英] Using key tool to make a CSR, how do I make a cert for tomcat ssl?
问题描述
我的目标是使用keytool创建证书签名请求(CSR),然后采用该CSR并制作要添加到密钥库中的实际证书,然后添加它,例如SSL(HTTPS//my.site.com)将工作.这是出于测试目的.
My objective is to use keytool to create a certificate signing request (CSR), then take that CSR and make an actual cert to add to the keystore, add it, such that SSL (HTTPS//my.site.com) will work. This is for testing purposes.
到目前为止,我已经完成了以下步骤:
So far I have done the following steps:
-
为我的CSR生成密钥库:
Generate a keystore for my CSR:
keytool -genkey -dname"CN = test.com,OU = TEST,O = Test,L = TestCity,ST =佛罗里达,C = US" -alias tomcat -keyalg RSA -keysize 2048 -keystore test.keystore- storepass changeit
keytool -genkey -dname "CN=test.com, OU=TEST, O=Test, L=TestCity, ST=Florida, C=US" -alias tomcat -keyalg RSA -keysize 2048 -keystore test.keystore -storepass changeit
生成CSR:
keytool -certreq -alias tomcat-文件request.csr -keystore test.keystore -storepass changeit
keytool -certreq -alias tomcat -file request.csr -keystore test.keystore -storepass changeit
生成服务器密钥以与openSSL一起使用以创建签名的证书.这需要输入密码"changeit",然后进行转换以删除服务器的密码.
Generate a server key to use with openSSL to create a signed cert. This required a password "changeit" and then a conversion to remove the password for the server.key:
openssl genrsa -des3 -out server.key 2048
openssl genrsa -des3 -out server.key 2048
cp server.key server.key.org
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl rsa -in server.key.org -out server.key
使用CSR生成我的签名证书:
Generate my signed cert using the CSR:
openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
最后,将证书导入到我的密钥库中.
Finally, import the cert into my keystore.
keytool -import -trustcacerts-文件server.crt -keystore test.keystore -alias tomcat -storepass changeit
keytool -import -trustcacerts -file server.crt -keystore test.keystore -alias tomcat -storepass changeit
结果是以下错误:
keytool错误:java.lang.Exception:答复和密钥库中的公共密钥不匹配
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
推荐答案
以下过程描述了与JBoss 5.0应用程序服务器完美配合的JKS密钥库的创建. Tomcat可能使用相同类型的密钥库.
The following procedure describes the creation of a JKS keystore that works perfectly with JBoss 5.0 application server. Tomcat probably uses the same type of keystore.
您可以借助openssl实用程序在Linux操作系统中创建私钥.
You can create a private key in a Linux OS with the help of openssl utility.
将umask设置为077,以使创建的文件只能由当前用户读取:
Set umask to 077 so that the created file is only readable by the current user:
$ OLD_UMASK=`umask` (umask is inside backtick characters)
$ umask 077
创建一个2048位长的私钥并将其存储在文件private_key.pem中:
Create a private key of 2048 bits length and store it in file private_key.pem:
$ openssl genrsa 2048 > private_key.pem
还原文件创建掩码:
$ umask $OLD_MASK
您可以使用以下命令创建证书签名请求(CSR):
You can create a Certificate Signing Request (CSR) with the command:
$ openssl req -new -key private_key.pem -nodes
接下来,您将不得不回答各种问题.特别注意必须与服务器的完全合格域名相匹配的公用名字段.该命令生成包含CSR的以下文本:
Next you will have to answer various questions. Give special attention to the Common Name field that must match the Fully Qualified Domain Name of your server. The command generates the following text that comprises the CSR:
----- BEGIN证书请求-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBZYnPGQZK06tI6EKLGp7qmaFAIAe ...
MIIBZYnPGQZK06tI6EKLGp7qmaFAIAe ...
....
-----结束证书请求-----
-----END CERTIFICATE REQUEST-----
生成连锁证书
该过程假定您在文件private_key.pem中具有(a)私钥,(b)从文件certificate.pem中的证书颁发机构(CA)收到的数字证书,并且(c)链证书证明文件ca_chain_cert.pem中的CA.
Generate a chain certificate
The procedure assumes that you have a (a) private key in file private_key.pem, (b) a digital certificate that you have received from a Certificate Authority (CA) in file certificate.pem and (c) a chain certificate that certifies the CA in file ca_chain_cert.pem.
如果您的CA由另一个权威机构CA1认证,而最终由根CA CA_ROOT(CA-> CA1-> CA_ROOT)认证,并且相应的证书在单个文件ca_cert.pem,ca1_cert.pem和ca_root.pem,则可以通过以下命令创建ca_chain_cert.pem:
In case that your CA is certified by another authority CA1 that is finally certified by a root CA CA_ROOT (CA -> CA1 -> CA_ROOT) and the respective certificates are available in individual files ca_cert.pem, ca1_cert.pem and ca_root.pem respectively, you can create the ca_chain_cert.pem through the command:
$ cat ca_cert.pem ca1_cert.pem ca_root.pem > ca_chain_cert.pem
通过将certificate.pem与ca_chain_cert.pem组合在一起来生成链证书:
The chain certificate is generated by combining certificate.pem with the ca_chain_cert.pem:
$ cat certificate.pem ca_chain_cert.pem > chain.pem
概念是您必须拥有一个文件,其中包含所有具有以下顺序的证书:
The concept is that you must have a file that includes all certificates with the order:
- 主机证书
- CA证书
- CA1证书
- 根CA证书
生成JKS密钥库
此步骤假定文件chain.pem包括证书链,private_key.pem私钥和certificate.pem您从CA接收到的服务器证书(链的第一部分).
Generate the JKS keystore
This step assumes that file chain.pem includes the chain of certificates ,private_key.pem the private key and certificate.pem the server certificate that you received from the CA (first part of the chain).
使用以下命令从证书链和私钥在文件keystore.p12中创建PKCS12密钥库:
Create a PKCS12 keystore in file keystore.p12 from the certificate chain and the private key with the following command:
$ openssl pkcs12-导出-名称server_cert -in chain.pem -inkey private_key.pem -certfile certificate.pem -out keystore.p12
$ openssl pkcs12 -export -name server_cert -in chain.pem -inkey private_key.pem -certfile certificate.pem -out keystore.p12
写下导出密码,因为它将在以下所有步骤中用于访问密钥库.
Write down the Export password as it will be used in all the following steps to have access to the keystore.
在PKCS12密钥库的文件server.keystore中创建JKS密钥库:
Create a JKS keystore in file server.keystore from the PKCS12 keystore:
$ keytool -importkeystore -destkeystore server.keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias server_cert
$ keytool -importkeystore -destkeystore server.keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias server_cert
您可以使用以下命令列出证书:
You can list the certificates with the following command:
$ keytool -list -v -keystore server.keystore
$ keytool -list -v -keystore server.keystore
验证命令输出是否声明了证书链的正确大小.对于CA,CA1和CA_ROOT,大小必须为4.
Verify that the command output states the correct size of the certificate chain. In the case of CA, CA1 and CA_ROOT the size must be 4.
这篇关于使用关键工具制作CSR,如何为tomcat ssl制作证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
